Thousands of WordPress Site Hacked via RevSlider plugin Vulnerability

Here is an another important security updates for all those who are using WordPress CMS for their site. Security researcher have prompted that cyber hackers are exploiting the vulnerability of one of the premium WordPress Plugins "Slider revolution" (RevSlider).

Security experts at Germany’s Computer Emergency Response Team (CERT-Bund) and Yonathan Klijnsma reveals that at least 3,000 websites have been compromised by attackers exploiting a known vulnerability in the Slider Revolution (RevSlider) plugin.

One of the most popular open source CMS WordPress is being regularly targeted by hackers and most of the cases site is compromised by one of the other vulnerability resides in the plugins. And this time again hackers have been leveraging a vulnerability in RevSlider WordPress plugin in a wild and which leads to compromised thousands of WordPress sites.

In December 2014, experts at Sucuri firm reported that more than 100,000 WordPress websites had been compromised and used to serve the SoakSoak malware.

Yonathan Klijnsma detailed the attack chain in a blog post, the cyber criminals compromised the websites by exploiting a local file inclusion (LFI) vulnerability. The exploitation of the LFI flaw allows attackers to access server file system, then the attackers create a new administrator account, upload a malicious script and complete the attack by installing backdoors to files associated with other WordPress plugins.

Hackers used the compromised site to distribute the malicious exploit kits via redirecting the visitors of the sites to the malicious sites. Klijnsma, also mention that attackers also used the Angler exploit kit for the malicious campaign.

For security, it is suggested to update the RevSlider plugin to the latest version, as the patch version of the plugins is available on the official WordPress website. Apart from this Klijnsma suggests to administrators whose websites have been compromised to remove all accounts and create new ones with new passwords because the attackers have gained administrative access to the site compromising all the accounts the moment of the attack.